CVE-2024-1047
MEDIUMThemeIsle SDK - Unauthenticated Data Modification via register_reference() Missing Capability Check
Title source: llmDescription
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
References (4)
Core 4
Core References
Scores
CVSS v3
5.3
EPSS
0.0056
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (13)
optimole/Optimole – Optimize Images in Real Time
< 3.12.4
optimole/Super Page Cache
< 4.7.5
rsocial/Revive Social – Social Media Auto Post and Scheduling Automation Plugin
< 9.0.25
themeisle/LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
< 2.6.9
themeisle/Menu Icons by ThemeIsle
< 0.13.8
themeisle/Multiple Page Generator Plugin – MPG
< 3.4.0
themeisle/Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
< 2.10.28
themeisle/orbit_fox
< 2.10.28
themeisle/Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
< 2.6.2
themeisle/PPOM – Product Addons & Custom Fields for WooCommerce
< 32.0.9
... and 3 more
Published
Feb 02, 2024
Tracked Since
Feb 18, 2026